Salami slicing attacks
-
Upload
xchym-hiep -
Category
Technology
-
view
1.392 -
download
1
description
Transcript of Salami slicing attacks
Salami slicing Attacks
$whoami
What's salami slicing attacks?
Salami slicing refers to a series of many small actions, often performed by clandestine means, that as an accumulated whole produces a much larger action or result that would be difficult or unlawful to perform all at once. The term is typically used pejoratively. Although salami slicing is often used to carry out illegal activities, it is only a strategy for gaining an advantage over time by accumulating it in small increments, so it can be used in perfectly legal ways as well.
In information security, a salami attack is a series of minor attacks that together results in a larger attack. Computers are ideally suited to automating this type of attack.
Salami slicingHow to cheat water
meter
Salami slicingHow to cheat water meter
Rounding attacks
Rounding attacks
Rounding attacks
Rounding attacksEx1: Internet banking
Rounding attacksEx1: Internet banking
Rounding attacksEx1: Internet banking
Rounding attacks
Round(0.005, 2)=0.01 USD = 1 cent100 * (105.60 VND -> 0.01 USD) => 10,560.00 VND = 1.00 USD
Rounding attacksEx2: Petrol station
Rounding attacksEx2: Petrol station
22,200.00 VNĐ --> 1 litre200 VNĐ --> 0.009009009...
Round(0.00909, 2)=0.01 litre100 * (200 VND -> 0.01 lire) => 20,000.00 VND = 1 litre
Rounding attacksEx2: Petrol station
22,200.00 VNĐ --> 1 litre50,000.00 VNĐ --> 2.2522522522...
Round(2.252252, 2)=2.25 litre
Rounding attacksEx2: Petrol station
In Viet Nam, Petrol station uses round down/ truncate function. That means you guys always lose :)
Deposit accountEx 3
You have 100$, you deposit 100$ --> 1.2$/monthYou deposit 42 cents --> 0.00504$/monthRound(0.00504,2) = 0.01$ = 1 cent/month
You should share 100$ to 238 accounts (42 cents per account). After one month, You will get 238 x 0.01$ = 2.38$ :)
References
1.Salami attack at Asia Commercial Bank
http://www.vnsecurity.net/2008/05/salami-attack-at-asia-commercial-bank/
2. Adrian Furtuna - Practical exploitation of rounding vulnerabilities in internet banking applications
http://2013.zeronights.org/materials
3. Is Your Online Bank Vulnerable To Currency Rounding Attacks
http://blog.acrossecurity.com/2012/01/is-your-online-bank-vulnerable-to.html
4. http://en.wikipedia.org/wiki/Rounding
Questions?